We have to model a regex in order to extract in Splunk (at index time) some fileds from our event. These fields will be used in search using the `tstats` command. The regex will be used in a configuration file in Splunk settings `transformation.conf`.
The main aspect of the fields we want extract at index time is that they have the same json key but a different father json-key.
Is it possible modelling this extraction using regex?
This is an example of Splunk event having the structure described before (json by the way):
{
"info":{
"eventSource":"",
"sourceType":"I/O",
"status":{
"code":"",
"msg":"",
"msgError":""
},
"transactionId":null,
"traceId":null,
"timestampStart":"2019-05-16T21:30:55.174Z",
"timestampEnd":"2019-05-16T21:30:55.174Z",
"companyIDCode":"",
"channelIDCode":"",
"branchCode":"",
"searchFields":{
"key_3":"value",
"key_2":"value",
"key_1":"value"
},
"annotation":{},
"caller":{
"id":"",
"version":"",
"acronym":""
},
"called":{
"id":"",
"version":"",
"acronym":""
},
"storage":{
"id":"",
"start":"",
"end":""
}
}
},
"headers":[],
"payLoad":{
"input":{
"encoding":"1024",
"ccsid":"1024",
"data":"dati_in"
},
"output":{
"encoding":"1024",
"ccsid":"1024",
"data":"dati_out"
}
}
}
The attended result is something like that:
* calledid -> aaa
* callerversion -> 1
* callerid -> bbb
We tried something like that
[calledid]
REGEX =(?<=called).*"id":"(?P.*?)(?=")
FORMAT = calledid::"$1"
WRITE_META =true
but it dowsn't work cause it matches until the last id he finds. Such as:
":{"id":"","version":"","acronym":""},"storage":{"id":"
Thanks in advance.
↧